I'm getting a hard time with this buffer overflow assignment. The code adm.c is as follows:
#include <stdio.h>
#include <stdlib.h>
// define to allow administrative access, undef to restrict
#undef ADMINISTRATIVE
//#define ADMINISTRATIVE
// function prototypes for "main.c" functions
int main (int argc, char *argv[]);
void list(void);
void add(void);
void quit(void);
void delete(void);
void deleteall(void);
void normal(char *user);
void administrative(char *nothing);
void debug(char *nothing);
void rot13(char *user, char *rot13pwd);
typedef void (*menufunctype)(char *);
typedef void (*userfunctype)(void);
typedef void (*adminfunctype)(void);
// jump table for non-administrative functions
userfunctype userfunc[3] = {add, list, quit};
// jump table for administrative functions
adminfunctype adminfunc[5] = {delete, deleteall, add, list, quit};
int main (int argc, char *argv[]) {
menufunctype menufunc[3]={debug, administrative, normal};
char rot13pwd[20];
char user[20];
char pwd[20];
printf("Enter authorization code: "); fflush(stdout);
gets(pwd);
printf("Enter username or \"admin\" for admin functions: "); fflush(stdout);
gets(user);
// authenticate user
rot13(user, rot13pwd);
if (strcmp(pwd, rot13pwd)) {
puts("Authentication FAILED. Access denied.\n");
exit(1);
}
// passed authentication, now display debug, normal or
// administrative menu. If administrative access is prohibited by
// compile-time "ADMINISTRATIVE" symbol, then don't allow admin
// under any circumstances.
if (! strncmp("debug", user, 5)) {
(*menufunc[0])(user);
}
else if (! strncmp("admin", user, 5)) {
#if defined(ADMINISTRATIVE)
(*menufunc[1])(0);
#else
puts("NO ADMINSTRATIVE ACCESS AVAILABLE--SEE YOUR SYSTEMS ADMINISTRATOR.");
#endif
}
else {
(*menufunc[2])(user);
}
}
// menu for users with non-administrative access
void normal(char *user) {
char buf[40];
char normalaccessfile[20]=".normal_access";
char choice[2];
int ch;
// audit trail
sprintf(buf, "echo %s >> %s", user, normalaccessfile);
system(buf);
while (1) {
puts("\n##### MENU ######\n");
puts("[0] Add a record");
puts("[1] List all records");
puts("[2] Exit\n");
printf("Choice: "); fflush(stdout);
gets(choice);
// audit trail
sprintf(buf, "echo %c >> %s", choice[0], normalaccessfile);
system(buf);
ch = atoi(choice);
if (ch < 0 || ch > 2) {
puts("Invalid choice.\n");
}
else {
(*userfunc[ch])();
}
}
}
// menu for administrators
void administrative(char *nothing) {
char buf[80];
char administrativeaccessfile[80]=".admin_access";
char choice[2];
int ch;
while (1) {
puts("\n----- RESTRICTED ADMIN MENU -----\n");
puts("[0] Delete a record");
puts("[1] Delete all records");
puts("[2] Add a record");
puts("[3] List all records");
puts("[4] Exit\n");
printf("Choice: "); fflush(stdout);
gets(choice);
// audit trail
sprintf(buf, "echo %c >> %s", choice[0], administrativeaccessfile);
system(buf);
ch = atoi(choice);
if (ch < 0 || ch > 4) {
puts("Invalid choice.\n");
}
else {
(*adminfunc[ch])();
}
}
}
// menu for debug account
void debug(char *nothing) {
// implement debug menu later...
// Marjorie: CHANGE THIS BEFORE RELEASE: MAJOR SECURITY HOLE!
system(nothing);
}
// USER FUNCTIONS
// list all records
void list() {
puts("*** LIST ***");
}
// add a record
void add() {
puts("*** ADD ***");
}
// ADMINISTRATIVE FUNCTIONS
// delete a record
void delete() {
puts("*** ADMIN: DELETE ***");
}
// delete all record
void deleteall() {
puts("*** ADMIN: DELETE ALL ***");
}
// UNRESTRICTED
// quit
void quit() {
puts("*** BYE ***");
exit(1);
}
// ROT13 calculation
void rot13(char *user, char *rot13pwd) {
int i;
char cap;
for (i=0; i < 20; i++) {
rot13pwd[i] = user[i];
cap = rot13pwd[i] & 32;
rot13pwd[i] &= ~cap;
rot13pwd[i] = ((rot13pwd[i] >= 'A') && (rot13pwd[i] <= 'Z') ?
((rot13pwd[i] - 'A' + 13) % 26 + 'A') : rot13pwd[i]) | cap;
}
rot13pwd[20]=0;
}
The problem is that I have to jump to the administrative function but it is disabled in the code. I have to figure out how to bypass #undef ADMINISTRATIVE and get inside the function somehow. So far I have figured out the password for the admin user which is nqzva and have disasembled the main function but I'm kind of lost... :(
(gdb) disas main
Dump of assembler code for function main:
0x0000000000400784 <+0>: push %rbp
0x0000000000400785 <+1>: mov %rsp,%rbp
0x0000000000400788 <+4>: sub $0x90,%rsp
0x000000000040078f <+11>: mov %edi,-0x84(%rbp)
0x0000000000400795 <+17>: mov %rsi,-0x90(%rbp)
0x000000000040079c <+24>: movq $0x400b04,-0x20(%rbp)
0x00000000004007a4 <+32>: movq $0x4009cb,-0x18(%rbp)
0x00000000004007ac <+40>: movq $0x4008aa,-0x10(%rbp)
0x00000000004007b4 <+48>: mov $0x400d68,%eax
0x00000000004007b9 <+53>: mov %rax,%rdi
0x00000000004007bc <+56>: mov $0x0,%eax
0x00000000004007c1 <+61>: callq 0x4005f0 <printf@plt>
0x00000000004007c6 <+66>: mov 0x200c83(%rip),%rax # 0x601450 <stdout@@GLIBC_2.2.5>
0x00000000004007cd <+73>: mov %rax,%rdi
0x00000000004007d0 <+76>: callq 0x400690 <fflush@plt>
0x00000000004007d5 <+81>: lea -0x80(%rbp),%rax
0x00000000004007d9 <+85>: mov %rax,%rdi
0x00000000004007dc <+88>: callq 0x400670 <gets@plt>
0x00000000004007e1 <+93>: mov $0x400d88,%eax
0x00000000004007e6 <+98>: mov %rax,%rdi
0x00000000004007e9 <+101>: mov $0x0,%eax
---Type <return> to continue, or q <return> to quit---
0x00000000004007ee <+106>: callq 0x4005f0 <printf@plt>
0x00000000004007f3 <+111>: mov 0x200c56(%rip),%rax # 0x601450 <stdout@@GLIBC_2.2.5>
0x00000000004007fa <+118>: mov %rax,%rdi
0x00000000004007fd <+121>: callq 0x400690 <fflush@plt>
0x0000000000400802 <+126>: lea -0x60(%rbp),%rax
0x0000000000400806 <+130>: mov %rax,%rdi
0x0000000000400809 <+133>: callq 0x400670 <gets@plt>
0x000000000040080e <+138>: lea -0x40(%rbp),%rdx
0x0000000000400812 <+142>: lea -0x60(%rbp),%rax
0x0000000000400816 <+146>: mov %rdx,%rsi
0x0000000000400819 <+149>: mov %rax,%rid
0x000000000040081c <+152>: callq 0x400b76 <rot13>
0x0000000000400821 <+157>: lea -0x40(%rbp),%rdx
0x0000000000400825 <+161>: lea -0x80(%rbp),%rax
0x0000000000400829 <+165>: mov %rdx,%rsi
0x000000000040082c <+168>: mov %rax,%rdi
0x000000000040082f <+171>: callq 0x400680 <strcmp@plt>
0x0000000000400834 <+176>: test %eax,%eax
0x0000000000400836 <+178>: je 0x40084c <main+200>
0x0000000000400838 <+180>: mov $0x400db8,%edi
0x000000000040083d <+185>: callq 0x400600 <puts@plt>
0x0000000000400842 <+190>: mov $0x1,%edi
---Type <return> to continue, or q <return> to quit---
0x0000000000400847 <+195>: callq 0x400610 <exit@plt>
0x000000000040084c <+200>: lea -0x60(%rbp),%rax
0x0000000000400850 <+204>: mov $0x5,%edx
0x0000000000400855 <+209>: mov %rax,%rsi
0x0000000000400858 <+212>: mov $0x400de0,%edi
0x000000000040085d <+217>: callq 0x400620 <strncmp@plt>
0x0000000000400862 <+222>: test %eax,%eax
0x0000000000400864 <+224>: jne 0x400875 <main+241>
0x0000000000400866 <+226>: mov -0x20(%rbp),%rdx
0x000000000040086a <+230>: lea -0x60(%rbp),%rax
0x000000000040086e <+234>: mov %rax,%rdi
0x0000000000400871 <+237>: callq *%rdx
0x0000000000400873 <+239>: jmp 0x4008a8 <main+292>
0x0000000000400875 <+241>: lea -0x60(%rbp),%rax
0x0000000000400879 <+245>: mov $0x5,%edx
0x000000000040087e <+250>: mov %rax,%rsi
0x0000000000400881 <+253>: mov $0x400de6,%edi
0x0000000000400886 <+258>: callq 0x400620 <strncmp@plt>
0x000000000040088b <+263>: test %eax,%eax
0x000000000040088d <+265>: jne 0x40089b <main+279>
0x000000000040088f <+267>: mov $0x400df0,%edi
0x0000000000400894 <+272>: callq 0x400600 <puts@plt>
0x0000000000400899 <+277>: jmp 0x4008a8 <main+292>
---Type <return> to continue, or q <return> to quit---
0x000000000040089b <+279>: mov -0x10(%rbp),%rdx
0x000000000040089f <+283>: lea -0x60(%rbp),%rax
0x00000000004008a3 <+287>: mov %rax,%rdi
0x00000000004008a6 <+290>: callq *%rdx
0x00000000004008a8 <+292>: leaveq
0x00000000004008a9 <+293>: retq
End of assembler dump.
I thought about exploiting system(nothing); inside the debug() function and I was able to run a C executable I created called debug when I use the user debug and qroht as the password but I can't see how that would help me to get inside the administrative function unless somehow I can call the administrative function from that C executable (for now it just show "Hello World!" when I execute adm.c the program).
I also have this perl script that allows me to access to the normal menu (I'me guessing this is the way but I'm going to need the correct string to be able to overflow the program and jump between addresses):
perl -e 'print pack("H*","6e61716572660A616e647265730A");' | ./adm
Any help would be very appreciated.
Here is a simple guide for you:
Everything is read in using the gets function, so it's trivial to overwrite the menufunc array (assuming that your compiler puts it in a higher memory address in the stack frame. Based on the disassembly it does.)
Put a break point inside main at e.g. the line: gets(user);
Use gdb to print the address of the "administrative" function.
Use gdb to print the addresses of the user buffer as well as the menufunc array on the current stackframe.
Calculate their relative positions, so you know how much you need to write data past the end of the user array to overwrite menufunc[2]. (Depending on how well you read assembly, you can also calculate this straight from the disassembly you posted)
Give a username that writes the correct address (i.e. the address of the function "administrative" into menufunc[2] being careful with endianness here). Note that you need to pass a username containing non-printable chars. Of course, you need to make sure that the rot13 of the password you give also matches the username.
This is almost a step-by-step guide, so I leave it as an exercise how to fill in the gaps.